The secret to online safety: Lies, random characters, and a password manager

Or, how to go from "123456" to "XBapfSDS3EJz4r42vDUt."

Setting a master password and the beauty of passphrases

So far there’s been plenty of master password talk, but no advice about how to choose one. A good starting point for creating master passwords comes in a guide Goldberg of AgileBits published a couple of years ago:

The challenge that we face is to have master passwords that [are] not going to be guessed by password cracking programs, yet we mere mortals are capable of remembering and typing without it being a burden.

What makes this a particular challenge is the fact that the bad guys know at least as much about how people pick passwords as we do. They are not only reading the same password picking advice that gets posted in places like this, but they have studied millions of stolen passwords.

Here is an important principle that we need to keep in mind:

The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system.

One good approach to creating a master password is to use a passphrase, a string of words or even a full sentence complete with spaces (yes, spaces in a password are perfectly OK and can make them easier to remember). "My name is Jon Brodkin and I am a writer for Ars Technica" would be an example of a passphrase.

But that's a true statement, one that’s easy to discover from a Google search. Thus, it's not nearly as random as we'd like it to be.

Lying might be the best option. "If your master password is to be based on something meaningful, remember that there are more ways to lie than to tell the truth," Goldberg wrote. "There are more ways for me to lie about my pets than tell the truth, and so I should use a lie."

Making the statement nonsensical adds even more randomness, Goldberg writes. "So let’s change my three bats to thirty-five bats, but still list three: I have 35 bats: Larry, Moe & Curly."

Of course, "Larry, Moe & Curly" is a widely used phrase from popular culture, so it's best to change that up as well. "Even though the Moe & Curly add 11 characters to the password, those 11 characters are so predictable that they add very little actual strength," Goldberg writes. "Even though it is shorter, using I have 35 bats: Larry & Amy is actually stronger than I have 35 bats: Larry, Moe & Curly.

(Note: not to be too painfully obvious, but these are examples to help you come up with your own master passwords. It's not a good idea to use the actual examples from a publicly accessible password creation guide.)

Adding to the "lies are more random than truth" theme, Goldberg instructs users to avoid using secrets or things that are personally meaningful in a master password. "The more personally meaningful something is to you the fewer alternatives there are. There are more things that don’t have personal meaning to you than do," he wrote.

If you're having trouble coming up with a strong master password, there's one way out: roll the dice, literally. Goldberg points users to Diceware, in which you roll dice and match the numbers to a list of 7,776 words that make up the Diceware system. For example, a roll of "16655" results in the word "clause."

"The great thing about Diceware is that we know exactly how secure it is even assuming that the attacker knows the system used," Goldberg writes. "The security comes from the genuine randomness of rolling the dice. The bad news is that we need passwords that are at least five or six Dicewords long to resist plausible attacks."

The best approach is to combine Diceware with a private system. This might involve using four Diceware words and one weak password of your own creation. A password like 2dM&P (standing for Goldberg's two dogs, Molly and Patty), will be easy to remember and add even more randomness to a string of Diceware words. The final master password would then be something like cleft 2dM&P cam synod lacy.

The key to creating a strong passphrase is to pick a string of words that's easy for you to remember but is not just a famous movie or literary quote, song lyric, piece of personal information, or a single word straight from the dictionary. The best passphrases will also include a mix of capitalization, punctuation, and numbers.

Given those parameters, let's look at an example, choosing words at random that don't really have a relation to each other but that hold meaning for you:

volkswagensummeryellowtulip

That's a 27-character nonsensical phrase that will still be easy to remember. Now if we really want to increase the strength of the phrase, we can then add a better mix of character types:

V0lk$wagenSummerYellow!Tulip

So now, we have a 28-character master password, with lowercase, uppercase, a number, and some symbols.

"If you write a sentence composed of 30 to 40 letters which is easy to remember as a sentence, that's a really good password generally," Lieberman said.

But again, make sure it's not a sentence based on personal facts. Anyone with access to your Facebook account could already have a goldmine of information. Gosney noted that stringing unrelated words together can result in a strong password. (He pointed us toward a site called "Random Word Machine" that generates nonsense words that are pronounceable and perhaps easy to remember.)

"I'm a big fan of the passphrase approach, because I know first-hand how difficult it is to crack passphrases," Gosney told Ars. "But I must emphasize the importance of selecting completely unrelated words when constructing a passphrase. They don't necessarily have to be random words, but they absolutely have to be unrelated words. They cannot be song lyrics. They cannot be quotes from a book or movie. If you were to Google this four- or five- word phrase, this sequence of words cannot appear together at all. It also helps a lot if you throw in some capital letters and numbers, and add punctuation to your passphrase."

While experts tend to agree that passphrases make good master passwords, they don't necessarily agree on all the smaller details. Goldberg's guide, for example, suggests that punctuation may not be as important as others think.

"Capitalizing the beginnings of words or changing 'for' to '4' really doesn’t add much security," Goldberg writes. He believes hackers are aware of these tricks, and the extra complication can make it less likely that you'll remember the password. "Adding punctuation in truly random manner makes the password too hard to remember," he writes.

Whatever you choose, it's important to train yourself to remember it. Set your password manager to prompt you for the password every few minutes, forcing you to type it more frequently. While you're still in the process of committing a master password to permanent memory, it's OK to write the password down and store it in your wallet or someplace secure. After all, if you lose the master password, you lose access to all your passwords. Once you're confident you won't forget the password, you could destroy the piece of paper.

While it's important to change weak passwords to something stronger, Goldberg says there's no need to change a master password if it is strong and easy to remember. "Ideally you should pick a good master password at the outset and never change it," he writes.

The paper approach is not to be scoffed at

We've now gone through the basics of using password managers, but perhaps you're still skeptical. Isn't this all too complicated? There is another approach that may sound insecure on its face, but isn't necessarily a bad option. We're talking about writing your passwords down.

Bruce Schneier is widely regarded as one of the top experts on security, and he says it’s OK to write your passwords on a piece of paper.

"Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks and are much more secure if they choose a password too complicated to remember and then write it down," Schneier wrote in 2005. "We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper and keep it with their other valuable small pieces of paper: in their wallet."

That being said, don't store your passwords on a piece of paper underneath your keyboard or in plain sight on your desk (yes, some people do this). And make sure they are long and secure, perhaps using the Diceware method mentioned above.

Even though a piece of paper isn't encrypted, it can be argued that storing data on a piece of paper and treating it as you would your most valuable possessions is more secure than putting it in a cloud service. This can work both ways, though. The paper approach makes you less likely to get hacked by an evil guy halfway around the world, but it also makes you more vulnerable to people who are close to you and have physical access to your belongings. There is no one right answer for everyone.

Case in point, Gosney told me about his father. "My dad is a very skeptical person and takes security and privacy very seriously. So seriously, in fact, that he has zero trust in computers." He went through the trouble of creating complicated passwords for all the sites he visits, but he decided to store each sign-in using a piece of paper instead of a password manager.

"He doesn't use debit cards or teller machines, won't shop or bank online, and social networking is an inconceivable privacy violation. It's an admirable mentality, really," Gosney said. "I once suggested he use a password manager to help remember his passwords for him and he asked me why he should trust his computer to store his passwords when he doesn't trust his computer. It's hard to argue with that. So I suggested he write his passwords down on a piece of paper and keep it in his wallet. Now, my dad is a tough guy and is very intimidating. No one is getting into that wallet. That wallet is probably the most secure place on the face of this planet."

It hasn't failed him yet. But we think most people will find life a bit more pleasant if they use a password manager instead.

Promoted Comments

I've done the nonsense answer thing for a while with my benefits reminder Q&A at work for years. Best is when they let you enter your own question freeform -- that way you can enter a question that you can be sure someone will "know" the answer two and frustrate them with an answer that is a complete non-sequitur. For example: "What is the average airspeed of an unladen swallow?" makes for a fine question -- as long as the answer has absolutely NOTHING to do with Monty Python.

Random misdirection is one thing -- but a question that leads would be hackers down an entirely wrong path is altogether more fun.

Somethings that I think are important to note about LastPass (and may exist in 1Password, but I haven't tried it, so I don't know):

1) It provides you the ability to enter your passphrase via a virtual keyboard, to minimize the risk when you're on a non-secure public computer2) It additionally provides a mechanism for one-time-only passwords that replace your passphrase to additionally minimize the risk when you're on a non-secure public computer3) It supports Google Authenticator for 2-factor authentication (which I appreciate quite a bit).

These tipped me over the edge and have made me really impressed with the amount of thought put into the password management systems available.

A password manager only works if you use it, and I couldn't commit to the user experience of a password manager until I found Dashlane. I feel Dashlane deserves a mention in this article, since it certainly compares to 1Password, LastPass and company.

Dashlane Dashlane provides a smart (and easy-to-use) cross-platform desktop app paired with great browser plugins and mobile apps for iOS and Android. Fully-encrypted syncing is built in (not a 3rd-party function), with the only key tied to your master password. Your private data can only be decrypted locally, with 2-step verification for any new devices. The company recently moved to a more mature business model of $20/year for synced service between 2 or more devices, but your first device is still a free place to start.

I've used Dashlane for a year and appreciated it as a brand new password manager built around secure syncing and a great application/plug-in experience. They are steadily improving their service and I'm impressed at how efficiently they respond to bugs and suggestions.

Unfortunately, Dashlane is now more expensive than LastPass or 1Password. Still, none of the other managers give me everything I want. I prefer a dedicated app (easier to maintain than a browser-based solution), built-in syncing (less worrisome than 3rd-party patches) and a good-looking easy-to-use UI (easier to learn and troubleshoot for the less technically-inclined).

When writing things on a piece of paper you can easily obfuscate the content. Here's an example:

Say I have a bank account number I want to record. Randomly I insert a telephone number I'd instantly recognize such as my home phone growing up. Those extra 10 digits don't all have to be in one string either. I could put the area code in one place, include 3 or 4 real digits then finish the number. The final 7 numbers are so obvious my eye will lock in on them. Then I know to look for (and remove) the area code.

Of course, one need not use only telephone numbers. Meaningful dates, addresses, etc. can all be used as stuffing.

Of course, if you're a super nerd you can reorder the characters according to some sequence you'll remember. I prefer Pascal's triangle because, well, nobody ever gives it any love. However, Fibonacci's sequence works just as well. When doing that I cycle around rather than pad with a huge number of bogus characters - it just saves space.

And yes, I've carried my bank account info, logins, etc. obfuscated in such a way in my wallet since people were still trying things out like the "Information Superhighway" or "Infoban" until everyone finally settled on "Internet"

I noted the following horrible security question prompts from a bank a few months ago. Sadly, far too many are like this:- "What is your favorite television show?" (because I'll never like something new)- "What is the first name of your youngest child?" (because I'll never have another child)

Security strength aside, I don't know why the manual-password-reset guys don't freak out about idiotic questions like this, given the number of times they must talk to people who are answering the questions correctly, but not consistently.

My bank goes one step further to inconvenience and confuse its online clients -- even though log-in passwords are not case sensitive, the friggin "security question" answers are case sensitive.

Nothing will ever beat Fidelity though. They limit you to, i think, twelve characters. Special symbols are NOT allowed at all. Just alpha numeric characters.

But wait! That's just the beginning. Internally they convert your twelve character password into numbers based on a touch tone phone pad. So if your password started with the following six characters: abcABC, internally your password is stored as 111111. And, of course, if your password were to change to AbcCaB, internally it would still be stored as 111111.

So: no special characters, no differentiation between upper and lower case characters, twenty six unique characters compressed (invisibly behind your back) into ten unique characters. The total password space is limited to one trillion unique passwords (assuming you use all twelve places allotted to you).

I have actually tested this. I translated my password into digits based on a phone pad and was able to log in with this bullshit password without any problems.

I have no idea how they store these passwords, but if they are using a weak hashing algorithm then the entire password table can be cracked in less than two minutes on a normal password cracking system. And given how stupid their password system is, I have no reason to believe they actually know enough to not use a weak system. I suspect this is a legacy from when all their customers only used the phone to manage their money, but they need to get with the program here.

Sent them a note about this as i moved my money to a different institution. But they don't care.